Home / malwarePDF  

Worm:Win32/Phorpiex.O


First posted on 13 December 2012.
Source: Microsoft

Aliases :

Worm:Win32/Phorpiex.O is also known as Trojan-Downloader.Win32.Andromeda (Ikarus), Trojan-Downloader.Win32.Andromeda.cak (Kaspersky), Win-Trojan/Andromeda.34816 (AhnLab), Trojan.Win32.Madon (Ikarus).

Explanation :



Worm:Win32/Phorpiex.O is a worm that downloads other files which may be detected as malware. The worm spreads via instant messaging software, such as Google Talk, ICQ, Paltalk, Skype, Windows Live Messenger and Xfire.

You may unknowingly download the worm, thinking it is something else.

It is a member of the Win32/Phorpiex family of worms.



Installation

When you run or open the file, Worm:Win32/Phorpiex.O is launched and drops the following component files into the %TEMP% folder:

  • NRRQSCAkYD.zuG
  • ZSa<two-digit random number>.tmp


These files may be used by the worm to assist in its delivery of the payload.

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".

After it has performed its malicious payload, the worm drops and runs the following file to remove itself from your computer:

%TEMP%\rmrf<four-digit random number>.bat

Spreads via...

Instant messaging

Worm:Win32/Phorpiex.O spreads by using a number of different messaging applications, including Google Talk, ICQ, Paltalk, Skype, Windows Live Messenger and Xfire.

The worm sends a message to all of your contacts, luring or inviting them into downloading and opening a picture. The picture may be a copy of the worm.

The message is localized, and the worm chooses which message to send based on the set language of your computer.

The worm uses the following messages if your language is set to Dutch:

  • ben jij dat op dit foto?
  • dit foto zal je echt eens bekijken!
  • ik hoop dat jij het net bent op dit foto
  • ken je dat foto nog?
  • ken je dit foto al?
  • kijk wat voor een foto ik heb gevonden
  • zo iets leilijk heb ik nog nooit in mijn leven gezien


The worm uses the following messages if your language is set to English:

  • i cant believe i still have this picture
  • i don't think i will ever sleep again after seeing this photo
  • should i make this my default picture?
  • tell me what you think of this photo
  • tell me what you think of this picture i edited
  • this is the funniest photo ever!


The worm uses the following messages if your language is set to French:

  • c'est la photo la plus marrante!
  • devrais-je mettre cette photo de profile?
  • dis moi ce que tu pense de cette photo de moi?
  • je n'arrive pas a croire que j'ai encore cette photo de toi depuis l'hiver dernier.
  • je ne pense pas que je vais pouvoir dormir après avoir vu ces photos.
  • mes parents vont me tués si ils trouvent cette photo


The worm uses the following messages if your language is set to German:

  • bist du das auf dem foto?
  • das foto solltest du wirklich sehen
  • hab ich dir das foto schon gezeigt?
  • kennst du das foto schon?
  • schau mal das foto an
  • schau mal welches foto ich gefunden hab
  • so will ich nicht aussehen wenn ich alt bin
  • unglaublich welche fotos leute von sich machen schau mal
  • wie findest du das foto?


The worm uses the following messages if your language is set to Italian:

  • chi e in questa foto?
  • conosci la persona in questa foto?
  • dopo che hai visto la foto, tu non dormirai piu
  • hai visto questa foto?
  • la foto e grandiosa!
  • ti piace la foto?
  • ti ricordi la Foto?


The worm uses the following messages if your language is set to Romanian:

  • asta e ce-a mai funny poza! tu ce zici?
  • nu cred ca voi mai putea dormi dupa ce am vazut poza asta. tu ce zici?
  • nu imi mai voi face niciodat poze!! toate ies urate ca asta.
  • spune-mi ce crezi despre poza asta.
  • zimi ce crezi despre poza asta?


The worm uses the following messages if your language is set to Spanish:

  • a tengo esta foto tuya del invierno pasado, te acordas?
  • creo que no voy a poder dormir más despues de ver esta foto. mirá
  • esta foto es gracios
  • mis padres me van a matar si ven esta foto mia, que decis?
  • no puedo creer que todav
  • quedarí a bien si pongo esta foto en mi perfil? o me veo medio mal?
Payload

Downloads arbitrary files

Worm:Win32/Phorpiex.O attempts to download a file (detected as Worm:Win32/Phorpiex.O) from "https://<removed>.com/dl/177936932/497544a/mkk.exe.html".

The file is downloaded to the %TEMP% folder with the file name "<six-digit random number>.exe".

Worm:Win32/Phorpiex.O then runs the file.

Related encyclopedia entries

Win32/Phorpiex



Analysis by Alden Pornasdoro

Last update 13 December 2012

 

TOP

Malware :

Family: